A Cyber-Whodunit

From the past few years, it seems we can add cyber-attacks to the list of holiday headaches that includes congested travel, overeating, binge spending and in-laws. In December 2010, web publisher Gawker was hacked, with hackers posting source code, employee conversations, and the email addresses and passwords of hundreds of thousands of users. In late 2012, hackers probably affiliated with Iran, attacked U.S. banks, knocking their consumer-facing web services offline—this attack occurring not long after other hackers, probably affiliated with Iran, attacked oil producers in the Middle East. The 2013 holiday season saw millions of consumers’ personal and payment card details lost to a breach of retailers’ point-of-sale systems.

And this holiday season, Seth Rogen and James Franco made a movie, The Interview, that has challenged fundamental assumptions of geopolitics, foreign policy and modern international conflict, through the lens of a cyber-attack. What began as an antic film plot suddenly became a lot more real on January 2, when the Obama administration—responding to an actual cyber-attack possibly provoked by a fake movie scenario—escalated matters considerably by imposing new financial sanctions on 10 North Korean officials and three government agencies.

Story Continued Below

Yet the apparent tit-for-tat between Washington and Pyongyang has clarified very little. As “cyber-warfare” and cyber-attacks become more evolved, the more confused we seem to get about what they truly mean, and how to respond—or even who did it. Some of the more famous cyber-attacks described above have simultaneously been termed by government officials and experts alike as crime, terrorism, vandalism, acts of war and nuisances. They can’t be all five at the same time. The silver lining from these trends of cyber-attacks is greater awareness among the public on what is truly at risk, and an opportunity for government, industry and the media to cooperate to define a more consistent, less ad hoc framework on responding to cyber-attacks, identifying and punishing the true beneficiaries of cyber-crime and elevating cybersecurity out of the IT department and into boardrooms and the corporate suite.

Cyber-crime and conflict have changed over the past few years, in frequency, sophistication and notoriety. Cyber-crime has entered a new level of public awareness, as its perpetrators are referenced in politicians’ speeches and its consequences make headlines. Despite this evolution, government and the private sector continue to be taken off-guard, uneven in their cooperation, unsure in their response and inconsistent even in how they characterize and attribute cyber-attacks. What happened to Sony has been described as vandalism, theft, terrorism, even an act of war. Commentators and politicians have claimed the prerogative of recommending how Sony, the U.S.government and the world community should respond, but their recommendations are all over the place.

***

As 2014 faded into 2015, it was not totally clear what happened when Sony was hacked and its personnel “doxed” (a term for publicly publishing personal, possibly embarrassing documents or emails not meant to be published). Whoever was the perpetrator, this cyber-attack was arguably different from past attacks.

A few facts are uncontested:

• In November, Sony suffered a massive cyber-attack that resulted in widespread corporate system outages, as well as data theft.

• Someone with access to the stolen data began posting it for the world to download.

• At some point, the release of the Sony Pictures Entertainment movie The Interview became connected to the motivations, objectives and demands of the hackers.

• Sony employees (and by implication affiliates such as theater owners) were subjected to threats of physical violence if Sony released The Interview.

• President Barack Obama did not approve of some elements of Sony’s response.

• FBI and other U.S. government authorities attributed the original cyber attack to North Korea, and Obama promised retaliation.

• North Korea’s leader, Kim Jong-un, is a satirical subject of The Interview.

• North Korea is a bizarre, dangerous country, even by the most objective of standards.

Just about everything else associated with this cyber-attack and its response is being publicly contested. But there are already a few aspects of this episode that are unprecedented, while others conjure lessons from previous attacks that we should have learned decades ago:

Not your grandfather’s Pearl Harbor. The most popular theory of what happened is that North Korea hacked Sony in retaliation for Sony’s production of a movie that North Korea feels insults its leader. If true, that makes this a rather special geopolitical hack. Some pundits are calling what happened an act of war, and have implicated a conspiracy of Communist regimes behind the hack. This wasn’t what the Pentagon originally envisioned for cyberwar, though.

Secretaries of Defense have been talking since the 1990s about a “cyber Pearl Harbor,” typically characterized as a massive attack on infrastructure such as the electric grid or transportation, usually envisioning massive economic damage and even great loss of life, as a strategic element accompanying a broader conflict among powers. This has been the dark future of various government and think-tank scenarios, predicting how nation-states would use cyberspace as a battlefield for national political or military advantage.

Page:

Neal Pollard is a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, and adjunct professor at Georgetown University. The opinions contained herein are his own and do not reflect those of any of his institutional affiliations.